Technical Article

v.10 - A Look at Route Domains

New to v.10 is a feature F5 calls route domains. A route domain is an isolated routing environment where addresses and routes are appended (internal to the system) with a domain identification that allows reutilization of IP space within the BIG-IP system. Each route domain has its own routing table, and can be nested so that a lookup that comes up empty in route domain 1 can peak into a parent route domain for an answer. Also, a route in one route domain can also be routed towards a gateway in another route domain. Note that the presence of a route still doesn't indicate a flow will occur, the BIG-IP is still a default-deny device and will not pass traffic without being configured to do so in a virtual server. The Route Domain ID is a two-octet field, and thus can be 0 - 65534. However, each route domain needs a unique vlan. The number of route domains you can effectively deploy depends on platform and configuration objects in use per route domain.

Configuration

In order to implement a route domain, you need to create the following objects in order:

Vlan

Route Domain

Self IP Address

Routes*

Pool w/ members*

Virtual Server

(* For a local implemenation, no routes would be necessary. For an advanced implementation with iRules, you may not even reference a pool.)

Since it's new and shiny and I'm itching to play, we'll configure the route domain example in the tmsh shell.

You'll notice that the only real indication besides the route domain object itself is the IP addresses on the self and pool members. Now we have it configured, what can we do with it? Well, the obvious use case is multitenancy, allowing a hosting organization to cookie cutter the backend servers without ever needing to manage IP space, each customer can be identical up through layer three. Another use could be application versioning. I've done this with different virtuals serving alternate versions of the application, which required unique IPs and ports on the backend, requiring additional work of the developers and network admins. With route domains, the new application can be deployed identically to the existing version, requiring only a simple iRule to switch between them and no additional work from the developers.

iRules and Route Domains

ROUTE::domain returns the route domain of the current connection. This is contextual, as the route domain on the client side may be different that the server side, as in our example. This is illustrated in the log output from this iRule:

The LB::server command is not new, but the route_domain keyword replaces vlan. All the other commands that deal with IP addresses should work as expected, but will return the route domain information if not in route domain zero.

Route domains are cool, easy, and incredibly useful. However, at this time, the GTM and ZebOS modules only support the default route domain, so plan accordingly. There is also a problem with NAT between route domains documented in Solution 9933 (requires a login to https://support.f5.com).